Australian Privacy Act 1988: What Businesses Need to Know
A practical guide to the Australian Privacy Act 1988, covering the 13 APPs, compliance requirements, penalties, and how the Act applies to your business.
The Australian Privacy Act 1988 is the federal law that governs how organisations and government agencies handle personal information in Australia. If you collect, store, or process data about individuals in Australia, the Australian Privacy Act 1988 sets the legal boundaries for what you can and cannot do with that information.
This guide breaks down the Act's key provisions, who it applies to, and what compliance looks like in practice. The information here is educational and should not be treated as legal advice. Work with a qualified legal professional for advice tailored to your specific situation.
What Is the Australian Privacy Act 1988?
The Australian Privacy Act 1988 (Cth) is a federal statute that regulates the handling of personal information by Australian Government agencies and private sector organisations. It was originally enacted to protect individuals' personal information held by Commonwealth agencies, and its scope expanded significantly over the following decades.
The Act provides the legal framework for 13 Australian Privacy Principles (APPs), which set out standards for:
- Collecting personal information
- Using and disclosing personal information
- Maintaining the quality and security of personal information
- Providing individuals with access to and correction of their personal information
- Accountability and transparency in data handling practices
The Office of the Australian Information Commissioner (OAIC) is responsible for administering and enforcing the Act. The OAIC handles privacy complaints, conducts investigations, publishes guidance, and can take enforcement action against organisations that breach the APPs.
History and Key Amendments to the Privacy Act 1988
The Australian Privacy Act 1988 has undergone several major amendments since its original enactment. Understanding this history helps explain why the current framework looks the way it does.
Timeline of Major Changes
- 1988 (enactment): The Act applied only to Commonwealth Government agencies, establishing Information Privacy Principles (IPPs)
- 2000 (private sector extension): The Privacy Amendment (Private Sector) Act 2000 brought private organisations with annual turnover exceeding $3 million under the Act, introducing the National Privacy Principles (NPPs)
- 2010 (credit reporting reforms): The Privacy Amendment (Enhancing Privacy Protection) Act 2012 reformed credit reporting provisions and introduced a more comprehensive credit reporting code
- 2014 (APP reform): The 13 Australian Privacy Principles replaced the separate IPPs and NPPs on 12 March 2014, creating a unified set of principles for all APP entities
- 2018 (mandatory breach notification): The Notifiable Data Breaches scheme under Part IIIC commenced on 22 February 2018, requiring APP entities to report eligible data breaches
- 2022 (enforcement overhaul): The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 dramatically increased maximum penalties and expanded the OAIC's enforcement powers
Each amendment reflected evolving community expectations and the growing role of personal data in the digital economy. The current reform process, following the Attorney-General's Privacy Act Review Report of February 2023, represents the most comprehensive set of proposed changes since the private sector extension in 2000.
Who Must Comply With the Australian Privacy Act 1988
The Act applies to entities classified as "APP entities." Whether the Australian Privacy Act 1988 covers your organisation depends on several factors.
Entities That Must Comply
- Australian Government agencies: All Commonwealth agencies and bodies, excluding state and territory government agencies (which are covered by their own legislation)
- Private sector organisations over $3 million AUD turnover: Any business, trust, partnership, or unincorporated association with annual turnover above this threshold
- Health service providers: Regardless of size or turnover, including medical practitioners, pharmacists, psychologists, and allied health professionals
- Credit reporting bodies and credit providers: Organisations involved in credit reporting activities
- Small businesses in specified categories: Those that trade in personal information, provide services under Commonwealth contracts, are related to a larger organisation covered by the Act, operate residential tenancy databases, or have voluntarily opted in
Entities Generally Exempt
- Small businesses with annual turnover of $3 million or less (unless they fall into an exception)
- State and territory government agencies (covered by state privacy laws)
- Political parties, registered political representatives, and political acts and practices
- Media organisations in relation to their journalism activities (if committed to published privacy standards)
- Employee records in relation to current and former employees (the employee records exemption under Section 7B)
The employee records exemption is one of the most significant gaps in the current framework. It means that private sector employers are not subject to the APPs when handling current and former employee records for purposes directly related to the employment relationship. The Privacy Act Review has recommended removing this exemption.
The 13 Australian Privacy Principles Under the Act
The Australian Privacy Principles are the operational requirements that APP entities must follow. They are organised into five groups covering the full lifecycle of personal information.
Part 1: Consideration of Personal Information Privacy
APP 1 (Open and transparent management of personal information) requires organisations to take reasonable steps to implement practices, procedures, and systems that ensure compliance with the APPs. The most visible requirement is maintaining a clearly expressed, up-to-date privacy policy available free of charge. The policy must describe the kinds of information collected, how it is collected, the purposes for collection, how individuals can access and correct their information, and whether information is disclosed overseas.
A privacy policy generator can help you create a policy that addresses APP 1 requirements, though you should have a legal professional review the final document for your specific circumstances.
APP 2 (Anonymity and pseudonymity) requires organisations to give individuals the option of not identifying themselves, or of using a pseudonym, when dealing with the organisation. This applies unless it is impracticable to do so or the organisation is required or authorised by law to deal with identified individuals.
Part 2: Collection of Personal Information
APP 3 (Collection of solicited personal information) limits what organisations can collect. An organisation must only collect personal information that is reasonably necessary for its functions or activities. For sensitive information (a defined subcategory that includes health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, and criminal records), the organisation must obtain the individual's consent and the information must be reasonably necessary.
APP 4 (Dealing with unsolicited personal information) addresses situations where an organisation receives personal information it did not request. Within a reasonable period, the organisation must determine whether it could have collected the information under APP 3. If not, and the information is not contained in a Commonwealth record, the organisation must destroy or de-identify the information as soon as practicable.
APP 5 (Notification of the collection of personal information) requires organisations to notify individuals about the collection at or before the time of collection, or as soon as practicable afterwards. The notice must cover the organisation's identity, the purpose of collection, the consequences of non-collection, third parties to whom the information may be disclosed, the privacy policy, and whether information will be disclosed overseas.
Part 3: Dealing With Personal Information
APP 6 (Use or disclosure of personal information) restricts what organisations can do with collected data. Information may only be used or disclosed for the primary purpose of collection. Secondary use or disclosure is permitted if the individual would reasonably expect it and the secondary purpose is related to the primary purpose (or directly related, in the case of sensitive information), or if the individual consents.
APP 7 (Direct marketing) imposes specific rules on using personal information for marketing. Organisations using information obtained directly from the individual may do so for direct marketing if the individual would reasonably expect it, and the organisation provides a simple opt-out mechanism. If the information was obtained from a third party, additional conditions and consent requirements apply.
Part 4: Integrity and Correction of Personal Information
APP 10 (Quality of personal information) requires organisations to take reasonable steps to ensure personal information is accurate, up-to-date, complete, and relevant, having regard to the purpose for which it is used or disclosed.
APP 11 (Security of personal information) requires reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. It also requires organisations to destroy or de-identify personal information they no longer need for any purpose, unless retention is required by law.
APP 12 (Access to personal information) gives individuals the right to request access to personal information an organisation holds about them. The organisation must respond within 30 days and provide access in the manner requested by the individual if reasonable and practicable. Access may be refused in specific circumstances, such as where it would be unlawful or would prejudice enforcement activities.
APP 13 (Correction of personal information) requires organisations to take reasonable steps to correct personal information they hold if it is inaccurate, out-of-date, incomplete, irrelevant, or misleading. If the organisation refuses a correction request, it must provide written notice with reasons and the complaint mechanisms available.
Part 5: Cross-Border Disclosure
APP 8 (Cross-border disclosure of personal information) addresses international data transfers. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the recipient does not breach the APPs in relation to that information. The disclosing entity remains accountable for the overseas recipient's actions. Exceptions apply where the individual consents after being informed that APP 8 protections will not apply, where the disclosure is required by law, or where a binding legal arrangement ensures APP-equivalent protection.
APP 9 (Adoption, use, or disclosure of government-related identifiers) prevents organisations from adopting a government identifier (such as a Medicare number or tax file number) as their own identifier for individuals, except in limited circumstances.
Data Breach Notification Under the Privacy Act 1988
The Notifiable Data Breaches (NDB) scheme, introduced under Part IIIC of the Australian Privacy Act 1988, has been in force since 22 February 2018. It applies to all APP entities (with limited exceptions for certain intelligence agencies).
What Constitutes an Eligible Data Breach
An eligible data breach has three elements:
- Unauthorised access to, unauthorised disclosure of, or loss of personal information held by the entity
- A reasonable person would conclude the breach is likely to result in serious harm to any affected individual
- The entity has not been able to prevent the likely risk of serious harm through remedial action (such as remote wiping a lost device or changing compromised passwords before misuse occurs)
Assessment and Notification Process
When an entity suspects a breach may have occurred, it has 30 days to conduct a reasonable and expeditious assessment. If the assessment confirms an eligible data breach, the entity must notify:
- The OAIC, using the approved form on the OAIC website
- Each affected individual (or, if this is not practicable, publish a statement on its website and take reasonable steps to publicise it)
The notification must include a description of the breach, the kinds of information involved, and recommendations about steps individuals should take in response.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowThe OAIC reported 527 data breach notifications in the July to December 2024 reporting period, with the health, finance, and insurance sectors reporting the highest volumes.
Penalties for Breaching the Australian Privacy Act 1988
The penalty regime under the Australian Privacy Act 1988 was significantly strengthened by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.
Maximum Penalties
For a body corporate that commits a serious or repeated interference with the privacy of an individual, the maximum penalty is the greatest of:
- $50 million AUD
- Three times the value of any benefit obtained directly or indirectly from the contravening conduct
- 30% of the entity's adjusted domestic turnover during the breach turnover period
For individuals, the maximum penalty is $2.5 million AUD.
How Penalties Compare Internationally
These penalties are broadly comparable to other major privacy frameworks:
- EU GDPR: Up to 20 million EUR or 4% of annual worldwide turnover
- UK GDPR: Up to 17.5 million GBP or 4% of annual worldwide turnover
- Canada PIPEDA: Up to $100,000 CAD per violation (though the proposed Consumer Privacy Protection Act would increase this to up to $25 million CAD or 5% of global revenue)
Enforcement in Practice
The OAIC has pursued several high-profile enforcement actions:
- Facebook (Meta): The OAIC commenced Federal Court proceedings over the Cambridge Analytica data sharing, alleging the personal information of over 300,000 Australian users was disclosed without consent
- Clearview AI: The OAIC determined that Clearview AI breached the Privacy Act by scraping Australians' facial images from the internet without consent
- Medibank: Following a 2022 data breach affecting 9.7 million customers, the OAIC commenced proceedings seeking penalties for alleged privacy failures
These cases demonstrate that the OAIC is increasingly willing to use its enforcement powers, particularly after the 2022 penalty increases.
Practical Compliance With the Australian Privacy Act 1988
Compliance with the Australian Privacy Act 1988 requires both documentation and operational practices. The following steps provide a practical framework for businesses.
Step 1: Determine Whether You Are Covered
Assess whether your organisation is an APP entity. Consider your annual turnover, whether you provide health services, whether you trade in personal information, and whether any of the other coverage criteria in Section 6D apply.
Step 2: Map Your Personal Information Flows
Document what personal information you collect, where it comes from, how it is stored, who has access, whether it is disclosed to third parties or overseas, and when it is destroyed or de-identified. This data mapping exercise is foundational for all other compliance activities.
Step 3: Publish a Compliant Privacy Policy
Your privacy policy must meet the requirements of APP 1. It should cover:
- Your organisation's identity and contact details
- The kinds of personal information you collect and hold
- How personal information is collected
- The purposes of collection
- How individuals can access and seek correction of their information
- How individuals can complain about privacy breaches
- Whether you disclose personal information overseas and, if so, the countries involved
Step 4: Implement Collection Notices and Consent Mechanisms
Ensure you provide APP 5 collection notices wherever you gather personal data, whether through website forms, phone calls, or in-person interactions. For sensitive information, implement explicit consent mechanisms that meet the requirements of APP 3.
Step 5: Secure Personal Information
APP 11 requires "reasonable steps" to protect data. What is reasonable depends on the nature and sensitivity of the information, the potential consequences of a breach, and the organisation's resources. At minimum, consider encryption at rest and in transit, access controls, staff training, regular security assessments, and an incident response plan.
If your website uses cookies or tracking technologies, a proper cookie policy generator can help you document these practices, and a privacy policy generator can address the broader requirements under the APPs.
Step 6: Prepare a Data Breach Response Plan
Document how your organisation will detect, assess, contain, and report data breaches. Assign roles and responsibilities, establish communication templates, and test the plan periodically. The 30-day assessment window under the NDB scheme requires quick action.
Step 7: Establish Access and Correction Processes
Create internal procedures for handling APP 12 access requests and APP 13 correction requests within the 30-day response period. Train relevant staff on how to verify identity, locate records, and respond in writing.
Proposed Reforms and Future Changes
The Privacy Act Review Report, released in February 2023 by the Attorney-General's Department, recommended 116 changes to the Australian Privacy Act 1988. The government has agreed, or agreed in principle, to the majority of these proposals.
Major proposed reforms include:
- Removing the small business exemption: All businesses would be covered regardless of turnover, with a transition period and simplified compliance pathways for small businesses
- Removing the employee records exemption: Employers would need to comply with the APPs when handling employee records
- Introducing a right to erasure: Similar to GDPR Article 17, individuals could request deletion of their personal information
- Direct right of action: Individuals could sue for compensation for privacy breaches without first going through the OAIC
- Statutory tort of serious invasion of privacy: A new cause of action for intrusion upon seclusion or misuse of private information
- Children's Online Privacy Code: Mandatory requirements for services likely to be accessed by children, including age-appropriate design principles
- Strengthened consent requirements: Consent must be voluntary, informed, specific, current, and unambiguous
- Transparency for automated decision-making: Organisations would need to disclose when automated systems make decisions that significantly affect individuals
These reforms will be implemented in phases. Businesses should begin preparing now, particularly for the removal of the small business and employee records exemptions, which will significantly expand the Act's coverage.
Frequently Asked Questions
When was the Australian Privacy Act 1988 enacted?
The Australian Privacy Act 1988 received Royal Assent on 25 January 1989 and commenced on 1 January 1990. It originally applied only to Commonwealth Government agencies. The Act was extended to the private sector in December 2001 through the Privacy Amendment (Private Sector) Act 2000, and the current 13 Australian Privacy Principles replaced the earlier separate principles on 12 March 2014.
What personal information is protected under the Privacy Act 1988?
The Privacy Act 1988 defines personal information broadly as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not. This includes names, addresses, email addresses, phone numbers, dates of birth, financial details, IP addresses where they identify an individual, and photographs. Sensitive information such as health data, biometric data, and political opinions receives additional protection.
Are small businesses exempt from the Australian Privacy Act 1988?
Small businesses with an annual turnover of $3 million AUD or less are generally exempt from the Privacy Act 1988. However, exceptions apply. Small businesses must comply if they provide health services, trade in personal information, are a credit reporting body, are related to a larger organisation, are a contracted service provider for a Commonwealth contract, or have opted in to coverage. The Australian Government has agreed to remove this exemption as part of proposed reforms.
How does the Australian Privacy Act 1988 apply to websites?
Websites operated by APP entities must comply with the Privacy Act 1988 in several ways. They must publish a privacy policy (APP 1), provide collection notices when gathering personal data through forms or cookies (APP 5), obtain consent before collecting sensitive information (APP 3), secure stored data against breaches (APP 11), and allow users to access and correct their personal information (APPs 12 and 13). Websites that collect data from visitors, whether through contact forms, analytics, or account creation, are subject to these requirements.